Hi, Kevin. GUI front ends to netfilter/iptables such as Firestarter, GuardDog, Shorewall, etc. should all be considered as learning tools. They will allow you to have a decent firewall in place while you roll up your sleeves and do your homework on how iptables works. There is *no* substitute for writing your own iptables rules.
I disagree. Shorewall is not a GUI to use as a learning tool... for starters, it is not a GUI at all. Shorewall is a *very* powerful configuration tool which covers damn near everything you can do with iptables, and its text files are orders of magnitude easier to learn, well-documented, clear, and actively supported by the author.
I wrote ipchains rules by hand for years. Then I wrote iptables rules by hand for months. Then I found Shorewall, and I've never looked back... over 100 systems now and counting. It's allowed me to do things for which I had not yet mastered the iptables syntax, and also things I didn't know iptables could do. :-)
As a further note: I have come to believe that user error makes it too easy to make mistakes on a hand-written script, *regardless* of the skill level of the administrator. In any human endeavor seeking precision, repeatability, and reduction of errors, tools are used to automate tasks like this. I much prefer Shorewall to hand-editing iptables rules; not only is it easier, I believe the end result (because it eliminates many possible errors I might make) is more secure.
Cheers,
-- Rodolfo J. Paiz rpaiz@xxxxxxxxxxxxxx http://www.simpaticus.com
